Make WordPress Core


Ignore:
Timestamp:
05/02/2010 10:53:59 PM (14 years ago)
Author:
ryan
Message:

Escape links by default. Props alexkingorg. see #13051

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/dashboard.php

    r14324 r14347  
    384384    if ( 'post' === strtolower( $_SERVER['REQUEST_METHOD'] ) && isset( $_POST['action'] ) && 0 === strpos( $_POST['action'], 'post-quickpress' ) && (int) $_POST['post_ID'] ) {
    385385        $view = get_permalink( $_POST['post_ID'] );
    386         $edit = esc_url( get_edit_post_link( $_POST['post_ID'] ) );
     386        $edit = get_edit_post_link( $_POST['post_ID'] );
    387387        if ( 'post-quickpress-publish' == $_POST['action'] ) {
    388388            if ( current_user_can('publish_posts') )
    389                 printf( '<div class="message"><p>' . __( 'Post Published. <a href="%s">View post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', esc_url( $view ), $edit );
     389                printf( '<div class="message"><p>' . __( 'Post Published. <a href="%s">View post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', $view , $edit );
    390390            else
    391                 printf( '<div class="message"><p>' . __( 'Post submitted. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', esc_url( add_query_arg( 'preview', 1, $view ) ), $edit );
     391                printf( '<div class="message"><p>' . __( 'Post submitted. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', add_query_arg( 'preview', 1, $view ), $edit );
    392392        } else {
    393             printf( '<div class="message"><p>' . __( 'Draft Saved. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', esc_url( add_query_arg( 'preview', 1, $view ) ), $edit );
     393            printf( '<div class="message"><p>' . __( 'Draft Saved. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', add_query_arg( 'preview', 1, $view ), $edit );
    394394            $drafts_query = new WP_Query( array(
    395395                'post_type' => 'post',
     
    411411?>
    412412
    413     <form name="post" action="<?php echo esc_url( admin_url( 'post.php' ) ); ?>" method="post" id="quick-press">
     413    <form name="post" action="<?php echo admin_url( 'post.php' ); ?>" method="post" id="quick-press">
    414414        <h4 id="quick-post-title"><label for="title"><?php _e('Title') ?></label></h4>
    415415        <div class="input-text-wrap">
     
    444444            <span id="publishing-action">
    445445                <input type="submit" name="publish" id="publish" accesskey="p" tabindex="5" class="button-primary" value="<?php current_user_can('publish_posts') ? esc_attr_e('Publish') : esc_attr_e('Submit for Review'); ?>" />
    446                 <img class="waiting" src="<?php echo esc_url( admin_url( 'images/wpspin_light.gif' ) ); ?>" />
     446                <img class="waiting" src="<?php echo admin_url( 'images/wpspin_light.gif' ); ?>" />
    447447            </span>
    448448            <br class="clear" />
     
    559559    $comment_post_title = strip_tags(get_the_title( $comment->comment_post_ID ));
    560560    $comment_post_link = "<a href='$comment_post_url'>$comment_post_title</a>";
    561     $comment_link = '<a class="comment-link" href="' . esc_url(get_comment_link()) . '">#</a>';
     561    $comment_link = '<a class="comment-link" href="' . get_comment_link() . '">#</a>';
    562562
    563563    $actions_string = '';
Note: See TracChangeset for help on using the changeset viewer.